The FBI Was Kind Enough to Disclose an Already-Patched Vulnerability to Apple

When you think of the FBI, Apple, and security, chances are you aren’t picturing an amicable working relationship designed to ensure the security of American citizens. But there’s actually a White House initiative that’s supposed to force exactly that! Shame it’s not really working.

The Vulnerabilities Equities Program (VEP) is an initiative that’s supposed to balance the desire of US law enforcement to hack into devices with keeping those devices safe from criminals. It’s a process that sounds good on paper but which has yet to disclose any useful, timely information to technology companies regarding major security flaws.

So it should be good news that on April 14th, the FBI made its first disclosure about a security flaw to Apple, under the terms of the VEP. Unfortunately, the flaw only affected older versions of iOS and OS X, and was patched in iOS 9 and OS X El Capitan, according to Apple executives.

So why did the FBI bother disclosing the flaw at all? Well, the best guess is that it’s an appeasement attempt, after the Bureau declined to disclose details about the hack used to get data off the San Bernandino iPhone. If so, it’s not very successful—an Apple exec informed Reutersthat “the flaw the FBI disclosed to Apple this month did nothing to change the company’s perception that the White House process is less effective than has been claimed”.

So yes, it’s a token effort from the FBI to pretend to care about customer security. But taken against allegations that the NSA exploited the Heartbleed bug for two years without telling anyone, the picture painted about law enforcement’s concern for security remains rather different. [Reuters]